Bolstering Your Digital Defenses – A Security Audit Checklist for the Linux Desktop

This article assumes you’re a desktop home or small office user with reasonable computer tech skills and motivation to learn. As such it’s been written more as an outline than a comprehensive step-by-step guide.

See article on securing your WiFi. Your router is you first line of defense.

If using web based email, see article ‘How to check and secure web based email’.

If not using Linux, see article ‘Best Distribution of Linux’.

Revise your computing habits.

Why risk file sharing when there’s a free open source application to do everything you can do with pay-ware? There’s a lifetime supply of music and movies via free streaming, youtube, the library or Netflix. Even open source software is best downloaded directly from the developer’s site to avoid mal-ware and other complications. If you still need to file share, consider setting it up on a separate dedicated machine and research how to secure it.

Dedicate one machine for your normal daily work and use only trusted software, websites and methods. Use a second machine or virtualization to experiment and do general research activity. You’d be surprised how many bogus sites you can stumble across while searching for ordinary things.

Store your data on a separate partition or preferably a second physical hard disk. This way, if your OS gets tangled up you won’t have to hassle with data recovery.

Make data backups. I prefer external hard disks and USB sticks. A safe adds another level of protection, and some people even put a drive in a bank deposit box. Physical security is NOT an obsolete standard of data backup! Cloud backups are not suitable for sensitive data as you don’t really know who has access. There’s a reason top data centers are built into bunkers, have redundant locations and don’t outsource backups. You can scale the concept for home use.

Use a decent password on your local machine, and setup to require entering it on boot. If your machine is in an area accessible by unauthorized others, lock the screen while away.

Steps to secure your Linux Desktop environment.

Software Firewall: Most distros include ufw (Uncomplicated Fire Wall) but it isn’t always turned on by default. This can be done via the command prompt or a GUI interface such as Gufw. Allow all outgoing connections and disable all incoming unless needed, such as for a game or webcam. As the name implies, it really is about that easy.

System Updates: Check at least weekly for Level 1, 2 & 3 updates but don’t install 4 & 5 the unsafe and dangerous packages. Check your software sources PPA’s for entries you don’t recognize and Never add a PPA you don’t trust.

Secure the Browser: The ‘No Script’ and ‘Adblock Plus’ plug-ins are your best two friends for on-line security! Limit what sites are authorized to the minimum needed, and if it’s not a site you frequent only give temporary permission. If a site has a long list of domains wanting to put crap on your browser and won’t load until you do, maybe go elsewhere for the information. Except for the actual domain you’re visiting and it’s companion CDN (Content Distribution Network) most of those additional sites are used to track your habits.

Periodically check all of your browsers settings including installed plug-ins, add-ons and extensions for one’s you don’t recognize.  Always use ‘https’ mode for email, banking, on-line shopping and similar. Set your preferences to NOT remember passwords and erase everything on exit. Also check network settings for malicious proxy entries.

Mal-ware: rkhunter and chkrootkit are two command line utilities you’ll want to take the time to know. They’re extremely valuable for detecting the most likely forms of mal-ware on a Linux box and not as complex to use as a first glance might seem. In the terminal shell, enter the following commands:

sudo aptitude install rkhunter
sudo rkhunter –check

then …

sudo aptitude install chkrootkit
sudo chkrootkit

* Note these utilities sometimes report a false positive. If you get a warning on anything, do a search on it to see if it’s something requiring action. Example: chkrootkit sometimes reports /sbin/init to be infected with the Suckit rootkit, even on a fresh install while rkhunter reports the file is OK.

Anti-Virus:  There are viri that target Linux, albeit relatively rare. There’s little reason not to check when good free tools such exist such as clamav and it’s GUI counterpart clamtk.

Cleanup: Bleachbit (available for most platforms) does what the infamous Ccleaner does for Windows. It cleans up the crap. You can free hundreds of megs of logs that don’t matter and cached browser files. When selecting what to scan for, skip anything that says it’s slow, experimental or likely to harm ferrets. Also skip cleanup of thumbnail images so the system doesn’t have to re-create them every time you re-open a picture folder.

Users: Check for and eliminate unused ones. By default, most distros should only have the one created when you installed Linux. It’s not a bad idea to have a backup account for yourself and if needed one with limited privileges for a friend. Never login and operate as root, use the ‘sudo’ command if there’s an admin task to do.

Services: Disable web, ftp, telnet, SSH servers, bluetooth and the like unless you need them. Research ones you don’t recognize. Some important functions rely on certain services, so do some checking and go easy. Disable local file and print sharing except when you use it.

Confirm: can scan your network from the outside, and unless you specifically opened a port or service for a reason there shouldn’t be anything visible to the outside world. It’s your properly configured router’s job to block all that. For a more advanced check, Wireshark can scan your network internally and there shouldn’t be any ports open you don’t recognize. Investigate if there is.

Research anything suspicious! Mal-ware and virus checkers will give false positives and legitimate software can have odd names. A quick visit to your favorite search engine will reveal what’s bogus or not.


References: I found these resources valuable.

Linux Mint Debian Edition User Guide

9 Best practices to secure your Linux

10 ways to secure your Linux desktop

Hardening the Linux desktop


-Kenn Ranous

%d bloggers like this: